Digital certificate cross-referencing
First Claim
1. A method for creating a first digital certificate for a first subscriber, wherein the first digital certificate binds the first subscriber to a first public key corresponding to a first private key held by the first subscriber, and the first public key and the first private key form a key pair for use in public-key cryptography, the method comprising:
- determining, based on a predefined criteria, that the first subscriber is the same as a second subscriber of a second digital certificate, wherein the second digital certificate binds the second subscriber to a second public key corresponding to a second private key held by the second subscriber, and the second public key and the second private key form a key pair for use in public-key cryptography;
including in the first digital certificate related certificate information at least partially identifying the second digital certificate, wherein inclusion of the related certificate information in the first digital certificate indicates that it has been determined that the first subscriber is the same as the second subscriber according to the predefined criteria; and
digitally signing the first digital certificate.
8 Assignments
0 Petitions
Accused Products
Abstract
As part of a security infrastructure based on public-key cryptography, a first digital certificate (200) is issued by a first certification authority (104) to a first subscriber (102) and binds the first subscriber (102) to a first public key (210). The first public key (210) corresponds to a first private key held by the first subscriber (102), and the first public key and the first private key form a key pair for use in public-key cryptography. The first digital certificate (200) is digitally signed by the first certification authority (104) and includes subscriber information (206) pertaining to the first subscriber (102) and related certificate information (216) at least partially identifying a second digital certificate (200). The second digital certificate (200) is issued by a second certification authority (104) to a second subscriber (102) and is digitally signed by the second certification authority (104). It binds the second subscriber (102) to a second public key (210) corresponding to a second private key held by the second subscriber (102). The second public key and the second private key form a key pair for use in public-key cryptography. The first subscriber (102)is matched to the second subscriber (102).
227 Citations
27 Claims
-
1. A method for creating a first digital certificate for a first subscriber, wherein the first digital certificate binds the first subscriber to a first public key corresponding to a first private key held by the first subscriber, and the first public key and the first private key form a key pair for use in public-key cryptography, the method comprising:
-
determining, based on a predefined criteria, that the first subscriber is the same as a second subscriber of a second digital certificate, wherein the second digital certificate binds the second subscriber to a second public key corresponding to a second private key held by the second subscriber, and the second public key and the second private key form a key pair for use in public-key cryptography;
including in the first digital certificate related certificate information at least partially identifying the second digital certificate, wherein inclusion of the related certificate information in the first digital certificate indicates that it has been determined that the first subscriber is the same as the second subscriber according to the predefined criteria; and
digitally signing the first digital certificate. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
determining, based on the predefined criteria, that the first subscriber is the same as a third subscriber of a third digital certificate, wherein the third digital certificate binds the third subscriber to a third public key corresponding to a third private key held by the third subscriber, the third public key and the third private key form a key pair for use in public-key cryptography, the third certificate includes related certificate information at least partially identifying the second digital certificate, and inclusion of the related certificate information in the third digital certificate indicates that it has been determined that the third subscriber is the same as the second subscriber according to the predefined criteria; and
identifying the second digital certificate based on the related certificate information in the third digital certificate.
-
-
5. The method of claim 1 wherein the related certificate information pertains to the second subscriber.
-
6. The method of claim 1 wherein the related certificate information pertains to a period of validity of the second digital certificate.
-
7. The method of claim 6 wherein the related certificate information includes a date selected from the group of dates comprising:
-
an effective date for the second digital certificate, an expiration date for the second digital certificate, and a revocation date for the second digital certificate.
-
-
8. The method of claim 1 wherein the related certificate information includes data which has been one-way hashed.
-
9. The method of claim 1 wherein:
-
the first digital certificate includes a distinguished name of the first subscriber;
the second digital certificate includes a distinguished name of the second subscriber; and
the step of determining that the first subscriber is the same as the second subscriber comprises determining that a predefined portion of the distinguished name on the first digital certificate is the same as a corresponding portion of the distinguished name on the second digital certificate.
-
-
10. The method of claim 1 wherein:
-
the first digital certificate includes data pertaining to the first subscriber;
the second digital certificate includes data pertaining to the second subscriber; and
the step of determining that the first subscriber is the same as the second subscriber comprises determining that the data pertaining to the first subscriber on the first digital certificate is the same as the data pertaining to the second subscriber on the second digital certificate.
-
-
11. The method of claim 1 wherein the step of determining that the first subscriber is the same as the second subscriber comprises:
determining that data pertaining to the first subscriber not contained on the first digital certificate is the same as corresponding data pertaining to the second subscriber not contained on the second digital certificate.
-
12. The method of claim 1 wherein the step of determining that the first subscriber is the same as the second subscriber comprises:
determining that the first digital certificate is a replacement of the second digital certificate.
-
13. The method of claim 1, wherein the step of determining that the first subscriber is the same as the second subscriber comprises:
determining that the first digital certificate is a renewal of the second digital certificate.
-
14. The method of claim 1 wherein:
-
the first and second digital certificates comply with the X.509 format; and
the related certificate information is stored as an X.509 extension.
-
-
15. The method of claim 14 wherein:
-
the related certificate information includes an X.509 extension including a serial number of the second digital certificate;
the first and second digital certificates each include a subscriber distinguished name of their respective subscribers; and
the step of determining that the first subscriber is the same as the second subscriber comprises determining that the distinguished name on the first digital certificate is the same as the distinguished name on the second digital certificate.
-
-
16. The method of claim 1 wherein the step of determining that the first subscriber is the same as the second subscriber comprises:
determining that the first subscriber is trusted to a same degree as the second subscriber.
-
17. The method of claim 1 wherein the step of determining that the first subscriber is the same as the second subscriber comprises:
determining that the first subscriber is entitled to a similar degree of access to resources as the second subscriber.
-
18. A computer readable medium storing instructions for controlling a processor to execute one of the methods of claims 1-4, 8-13, 16 or 17.
-
19. A method for processing a first digital certificate including related certificate information, wherein the first digital certificate binds a first subscriber to a first public key corresponding to a first private key held by the first subscriber, and the first public key and the first private key form a key pair for use in public-key cryptography, the method comprising:
-
authenticating the first digital certificate;
reading the related certificate information from the first digital certificate, wherein the related certificate information at least partially identifies a second digital certificate the second digital certificate binds a second subscriber to a second public key corresponding to a second private key held by the second subscriber, the second public key and the second private key form a key pair for use in public-key cryptography, and inclusion of the related certificate information in the first digital certificate indicates that it has been determined that the first subscriber is the same as the second subscriber according to a predefined criteria;
identifying the second digital certificate based on the related certificate information;
determining a status of the second digital certificate; and
responsive to the status of the second digital certificate, processing the first digital certificate. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
the step of determining the status of the second digital certificate comprises determining a degree to which the second digital certificate is trusted; and
the step of processing the first digital certificate comprises processing the first digital certificate with a similar degree of trust as the second digital certificate.
-
-
21. The method of claim 20 wherein the step of processing the first digital certificate further comprises granting access to resources based on a similar degree of trust as the second digital certificate.
-
22. The method of claim 19 wherein:
-
the step of determining the status of the second digital certificate comprises determining data to which the second digital certificate is used as an index; and
the step of processing the first digital certificate comprises using the first digital certificate as an index to the data.
-
-
23. The method of claim 19 wherein the step of processing the first digital certificate comprises conferring the status of the second digital certificate onto the first digital certificate.
-
24. The method of claim 19 wherein the first digital certificate is a replacement of the second digital certificate.
-
25. The method of claim 19 wherein the first digital certificate is a renewal of the second digital certificate.
-
26. The method of claim 19 wherein:
-
the first and second digital certificates comply with the X.509 format; and
the related certificate information is stored as an X.509 extension.
-
-
27. A computer readable medium storing instructions for controlling a processor to execute one of the methods of claims 19-23 or 24-26.
Specification